Compliance In Focus Cybersecurity
With the continued threat of cyber-attacks on firms, it is important that robust cybersecurity measures are in place, which are proportionate to the nature, complexity of firms, and the sensitivity of its information and data it holds. Consequently, for smaller firms, i.e. sole traders and one-two person firms, some measures may not be applicable. Cybersecurity can be defined as the protection of the firm’s systems, networks and data. It protects against incidents of IT attacks. Such threats or attacks are becoming ever more prevalent, sophisticated and complex.
The advancement of IT has changed the way business is conducted by members, IT is now a key enabler of a firm’s business strategy and is no longer simply a support function. As a result, there is a heightened risk when it comes to IT systems failure and cyber ‘trigger events’ e.g. data theft or destruction. Cyber-attacks may come in two forms: Firms may be subject to a deliberate attack should they be viewed as having valuable data or the attack may be opportunistic in nature, brought about due to the discovery of a weakness in a firm’s structure.
Firms should firstly, identify and appoint a person within the firm who is responsible for IT. This person should be sufficiently senior and report to the Board (if applicable). Subsequently, the pertinent stages in any IT compliance project are the assessment of the current position (either carried out by the sole trader/appointed individual within the firm for IT or third-party service provider), carrying out a gap analysis, i.e. identifying what shortfalls exist, and remediation, i.e. action to be undertaken and new systems/measures to be put in place. Upon remediation, it is incumbent on the firm to continually monitor, audit and review the process. A firm’s cybersecurity policy should be proportionate to the risks faced by each individual firm, the basis of which should be a risk assessment. Adequate staff training and on-going communication with staff regarding potential risks is vital.
The following are steps that can be taken by members to mitigate risks:
Members should also be aware that the EU’s Digital Operational Resilience Act “DORA” entered into force on the 16th of January 2023 and will start applying on 17th of January 2025. The Regulation goal is to strengthen the IT security of financial entities such as banks, insurance companies and investment firms against the increasing risk of cyber-attacks.
Micro and SME insurance intermediaries are not in the scope of DORA. MiFID II “opt out investment firms” are also exempted. Large insurance intermediaries are in scope; however, DORA requires that rules should be applied in accordance with the proportionality principle, taking into account the size, the nature, the scale and the complexity of the services, activities and operations and the overall risk profile.
On the 19 of June, the European Supervisory Authorities (EIOPA, ESMA and EBA – the ESAs) opened a public consultation on 4 sets of Regulatory Technical standards (RTS) and Implementing Technical Standards (ITS) under DORA. After the consultation period, the ESAs will adopt a final version of their draft RTS and ITS which will then be adopted by the Commission and enter into force unless the European Parliament or the Council object to them within three months. Brokers Ireland are monitoring these developments at EU level and will update members accordingly.